diff --git a/README.md b/README.md
index e88bf414..a02030c9 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ WARNING: this feature allows you to effectively disable security on your cloud!
 This charm has a configuration option to allow users to disable any per-instance security group management; this must used with neutron-security-groups enabled in the neutron-api charm and could be used to turn off security on selected set of compute nodes:
 
     juju deploy neutron-openvswitch neutron-openvswitch-insecure
-    juju set neutron-openvswitch-insecure disable-security-groups=True
+    juju set neutron-openvswitch-insecure disable-security-groups=True prevent-arp-spoofing=False
     juju deploy nova-compute nova-compute-insecure
     juju add-relation nova-compute-insecure neutron-openvswitch-insecure
     ...
diff --git a/config.yaml b/config.yaml
index a8346f4b..cf1b506f 100644
--- a/config.yaml
+++ b/config.yaml
@@ -111,3 +111,12 @@ options:
       which do not include a neutron-gateway (do not require l3, lbaas or vpnaas
       services) and should only be used in-conjunction with flat or VLAN provider
       networks configurations.
+  prevent-arp-spoofing:
+    type: boolean
+    default: true
+    description: |
+      Enable suppression of ARP responses that don't match an IP address that belongs
+      to the port from which they originate.
+      .
+      Only supported in OpenStack Liberty or newer, which has the required minimum version
+      of Open vSwitch.
diff --git a/hooks/neutron_ovs_context.py b/hooks/neutron_ovs_context.py
index 1ba8a84a..f2b0a7cc 100644
--- a/hooks/neutron_ovs_context.py
+++ b/hooks/neutron_ovs_context.py
@@ -58,6 +58,7 @@ class OVSPluginContext(context.NeutronContext):
         ovs_ctxt['use_syslog'] = conf['use-syslog']
         ovs_ctxt['verbose'] = conf['verbose']
         ovs_ctxt['debug'] = conf['debug']
+        ovs_ctxt['prevent_arp_spoofing'] = conf['prevent-arp-spoofing']
 
         net_dev_mtu = neutron_api_settings.get('network_device_mtu')
         if net_dev_mtu:
diff --git a/templates/liberty/ml2_conf.ini b/templates/liberty/ml2_conf.ini
new file mode 100644
index 00000000..08d52fad
--- /dev/null
+++ b/templates/liberty/ml2_conf.ini
@@ -0,0 +1,44 @@
+# liberty
+###############################################################################
+# [ WARNING ]
+# Configuration file maintained by Juju. Local changes may be overwritten.
+# Config managed by neutron-openvswitch charm
+###############################################################################
+[ml2]
+type_drivers = gre,vxlan,vlan,flat
+tenant_network_types = gre,vxlan,vlan,flat
+mechanism_drivers = openvswitch,hyperv,l2population
+
+[ml2_type_gre]
+tunnel_id_ranges = 1:1000
+
+[ml2_type_vxlan]
+vni_ranges = 1001:2000
+
+[ml2_type_vlan]
+network_vlan_ranges = {{ vlan_ranges }}
+
+[ml2_type_flat]
+flat_networks = {{ network_providers }}
+
+[ovs]
+enable_tunneling = True
+local_ip = {{ local_ip }}
+bridge_mappings = {{ bridge_mappings }}
+
+[agent]
+tunnel_types = {{ overlay_network_type }}
+l2_population = {{ l2_population }}
+enable_distributed_routing = {{ distributed_routing }}
+prevent_arp_spoofing = {{ prevent_arp_spoofing }}
+{% if veth_mtu -%}
+veth_mtu = {{ veth_mtu }}
+{% endif -%}
+
+[securitygroup]
+{% if neutron_security_groups -%}
+enable_security_group = True
+firewall_driver = neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
+{% else -%}
+enable_security_group = False
+{% endif -%}
diff --git a/unit_tests/test_neutron_ovs_context.py b/unit_tests/test_neutron_ovs_context.py
index 85692811..43755fe0 100644
--- a/unit_tests/test_neutron_ovs_context.py
+++ b/unit_tests/test_neutron_ovs_context.py
@@ -95,7 +95,8 @@ class OVSPluginContextTest(CharmTestCase):
                   'verbose': True,
                   'debug': True,
                   'bridge-mappings': "physnet1:br-data physnet2:br-data",
-                  'flat-network-providers': 'physnet3 physnet4'}
+                  'flat-network-providers': 'physnet3 physnet4',
+                  'prevent-arp-spoofing': False}
 
         def mock_config(key=None):
             if key:
@@ -140,6 +141,7 @@ class OVSPluginContextTest(CharmTestCase):
             'network_providers': 'physnet3,physnet4',
             'bridge_mappings': 'physnet1:br-data,physnet2:br-data',
             'vlan_ranges': 'physnet1:1000:1500,physnet2:2000:2500',
+            'prevent_arp_spoofing': False,
         }
         self.assertEquals(expect, napi_ctxt())
 
@@ -204,6 +206,7 @@ class OVSPluginContextTest(CharmTestCase):
             'overlay_network_type': 'gre',
             'bridge_mappings': 'physnet1:br-data',
             'vlan_ranges': 'physnet1:1000:2000',
+            'prevent_arp_spoofing': True,
         }
         self.assertEquals(expect, napi_ctxt())